December 10, 2008

The Elgg documentation describes the REST API rather superficially, yet provides no samples, and is now inaccurate for the recent versions of Elgg.

After a minor modification to your .htaccess file, using the REST API is very simple, and, in many cases, avoids the need to create individual files in your Elgg root directory to provide custom functionality.

Let me explain technically what’s going on first. Any API calls in Elgg are handled by a page handler,i.e., when the HTTP request begins with /pg/..., the .htaccess (containing mod_rewrite rules) tells Apache to use the Elgg file engine/handlers/pagehandler.php to handle the request. Elgg then determines which page handler to use, and invokes it. The REST API is known as an “API endpoint”. In this case, because the next part of the URL is rest, the API page handler passes control to the file services/api/rest.php.

The problem with the .htaccess that ships with Elgg is that it would cause the page handler to be invoked as pagehandler.php?handler=api&page=rest, discarding the querystring entirely. services/api/rest.php actually expects the method parameters to be in the querystring, so to get this to work, we simply change the following line in .htaccess:

Here is the code for a sample REST method, which would be implemented via a plugin. For this example, the following file is located at mod/rest_login/start.php (NB I had to put a space character before the ?php in line 1 for WordPress to render this listing):

There are limitations of the REST API, one of them being that the return value is rendered in a view. You can override the view by including the directory structure and file views/default/api/output.php in your module directory, but Elgg will still render it as HTML; if you need to process the result, you will need to parse this HTML. Also, if you decide to override this view, it will be overridden for any REST API method calls, not just the one implemented in your module.

One particular limitation of the sample above is that it does not authenticate! At least I couldn’t get it to work; the reason is that the API method is registered as not requiring a user authentication token. As a result, the method executes in unauthenticated fashion, and when authenticate() is called to attempt to authenticate the user, it always succeeds – regardless of the password – because pam_authenticate() returns true for the executing method. (Hopefully this would make sense to you if you’ve written an authentication plugin.)